[Date Prev][Date Next]
Re: Bug in tlso_session_chkhost?
- To: Quanah Gibson-Mount <firstname.lastname@example.org>, email@example.com
- Subject: Re: Bug in tlso_session_chkhost?
- From: Howard Chu <firstname.lastname@example.org>
- Date: Tue, 9 May 2017 19:43:05 +0100
- In-reply-to: <796AD360ECF1C55A642A8F3B@[192.168.1.19]>
- References: <2A006134276576B5A86D7A20@[192.168.1.19]> <WMemail@example.com> <firstname.lastname@example.org> <796AD360ECF1C55A642A8F3B@[192.168.1.19]>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2
Quanah Gibson-Mount wrote:
--On Tuesday, May 09, 2017 11:01 AM +0100 Howard Chu <email@example.com> wrote:
if I remove the check against the "localhost" name, things succeed as
Fwiw, I routinely test with a localhost cert, and this check has never
tripped for me. But my ldap_int_hostname is also "localhost" - apparently
something on your system insists that your hostname is "u16build".
One of the main tenants of the test suite is that it be portable. I think
mandating that anyone who wants to run the test suite must use a host with a
hostname set to "localhost" is untennable. Because of this bug, the test
suite will have to have a dependency on the "openssl" command line binary so
that it can generate certs based on the hostname of the system where it is
being run. Without this problematic code, we could simple check in
pre-generated certs, removing that dependency.
Well, technically your certDN is invalid. The cn is supposed to be the FQDN,
and in your case it must be "u16build.xxxx.yyy" or somesuch. "subjectAltName"
means *alternative* name. It is totally correct for libldap to reject your
cert with a hostname mismatch when the cert cn is incorrect.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project